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Since nearly the beginning of the Internet, malware has been a significant 
deterrent to productivity for end users, both personal and business related. 
Due to the pervasiveness of digital technologies in all aspects of human 
lives, it is increasingly unlikely that a digital device is involved as goal, 
medium or simply ‘witness’ of a criminal event. Forensic investigations 


include collection, recovery, analysis, and presentation of information stored 


on network devices and related to network crimes. These activities often 
Keywords: involve wide range of analysis tools and application of different methods. 
This work presents methods that helps digital investigators to correlate and 
present information acquired from forensic data, with the aim to get a more 
. valuable reconstructions of events or action to reach case conclusions. Main 
Network forensics aim of network forensic is to gather evidence. Additionally, the evidence 
Network traffic obtained during the investigation must be produced through a rigorous 
Sniffing investigation procedure in a legal context. 
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1. INTRODUCTION 

Integrating network sniffing, capturing, and analysis is part of network forensics. Utilizing traffic 
and event logs, a network security incident can be analyzed. Network forensics are essential to determine the 
kind of network assault and find the offenders. Additionally, the evidence obtained during the investigation 
must be produced through a rigorous investigation procedure in a legal context [1]. Nevertheless, there are 
several reasons why network forensics is a difficult task. First, while capturing network traffic through a 
network is straightforward in theory, it is somewhat challenging in practice because of several underlying 
issues, such as the volume of data flowing over the network and the complexity of Internet protocols. As a 
result, extensive resources are needed for network traffic recording [2]. Due to the huge quantities, it is 
frequently impossible to record all the data that is transmitted across the network. Again, for later 
examination, this recorded data needs to be backed up to free recording medium [3], [4]. Furthermore, the 
most important and time-consuming duty is the examination of recorded data [5]. There are several 
automated analysis tools available for forensic use, but they are insufficient because there is no way to 
distinguish malicious traffic produced by an attacker from a pool of legitimate traffic with absolute certainty. 
Because there is always a danger of receiving false positive results when using automated traffic analysis 
tools, human judgement is equally essential. However, precautions should be taken to assure network 
forensics preparedness in advance, such as by setting up proper event recording and data collection systems 
that can provide important artifacts for examination during forensics inquiry. 
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2. METHOD 
2.1. Collecting evidence 

Locating and gathering information that is often present among network devices and along the 
traffic paths inside a network. This data gathering is essential in the event of an incident where an outside 
threat source is trying to control internal systems or steal information from the network [6], [7]. When 
evaluating host evidence, network-based evidence is particularly helpful since it offers a second source of 
event corroboration, which is crucial for identifying an incident's primary cause [8], [9]. 


2.1.1. Via sniffers 

A network's information traffic can be a useful source of information about intrusions or strange 
connections. Network sniffers, also known as packet sniffers, are tools that can intercept and record network 
traffic. They were created in response to the necessity to collect this data. Sniffers place network interface 
cards (NICs) in promiscuous mode, allowing them to listen to and record every bit of data sent over the 
network. Hardware taps and spanned ports make switched networks easier to sniff [10]. In addition to the 
physical and data-link layer, sniffers also capture traffic from the network and transport levels. Because of its 
monitoring and analysis capabilities, a packet sniffer is used in network forensics to manage traffic, monitor 
network components, and detect breaches. Sniffers are used by forensic investigators to examine any 
suspicious application or apparatus. A few examples of sniffers are as follows: 


a. Sniffing tool: tcpdump 

When a Boolean input expression matches a packet on a network interface, Tcpdump prints out a 
description of the contents of the packet. The -w parameter instructs the programme to store the packet data 
to a file for subsequent analysis, and the -r flag instructs the programme to read packets from a saved packet 
file as opposed to a network interface. Tcpdump only ever examines packets that exactly match the supplied 
phrase. Tcpdump captures packets until it is interrupted by a signals intelligence (SIGINT) or SIGTERM 
signal, or if the specified number of packets have been processed, if it is run without the -c flag. If run with 
the -c flag, it captures packets until it is interrupted by a SIGINT or SIGTERM signal, or if the specified 
number of packets have been processed. 


b. Sniffing tool: wireshark 

A GUI network protocol analyzer is titled Wireshark. It allows the investigator to interactively view 
packet data from either a captured file or a live network. The native capture file format for Wireshark is 
libpcap, which is also the format supported by tcpdump and a number of other utilities. Investigators have the 
option to do live capture and offline analysis while also being able to perform thorough inspection of 
hundreds of protocols using Wireshark. It works with several operating systems, including Windows OS, 
Linux, macOS, Solaris, FreeBSD, and NetBSD. Any file type that has been compressed using gzip may be 
read by Wireshark. The .gz extension is not necessary for Wireshark to recognize this; it does so directly 
from the file [11]. Three views of a packet are displayed in Wireshark's main window, similar to other 
protocol analyzers. It displays a line that summarizes the contents of the packet. It displays a protocol tree 
that enables the researcher to dig down to the specific protocol or topic of interest. A hex dump demonstrates 
exactly how the packet appears as it travels across the wire. 


2.1.2. Via security information and event management system (STEM) 

The nature of signing on to network devices is a major issue that a lot of companies face. Log files 
are frequently rolled over, whereby new log files are written over previous log files, due to a lack of space. 
As a result, an organization can occasionally only have a few days or even a few hours' worth of crucial logs. 
The incident response team will lack crucial pieces of evidence if a possible event occurred several weeks 
earlier [12]. 

An enterprise-wide technology that has gained popularity is the SIEM system. These appliances 
have the capacity to gather log and event information from several network sources and consolidate it in one 
place. This eliminates the need to look at individual systems and enables the computer security incident 
response team (CSIRT) and other security experts to monitor activities across the whole network [13], [14]. 

Logs are set to be sent to the SIEM from a number of sources, including structured query language 
(SQL) databases and security controls. The user account was used in this instance to copy a database to the 
remote server at 10.88.6.12, according to the SQL database at 10.100.20.18. This kind of behavior may be 
quickly examined thanks to the SIEM. If it is discovered that the account was hacked, for instance, CSIRT 
analysts can instantly search the SIEM for any activity involving that account. The log record indicating a 
database copy to the remote computer would then be visible to them. Without the SIEM, CSIRT analysts 
would have to search every single system that may have been accessed, which might be a time-consuming 
procedure [15], [16]. 
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2.2. Analyzing evidence 

In this procedure, we analyze the information obtained during the previous step in this phase using 
instruments and methods that may transform readily available information into strong proof that aids in 
resolving the "W questions: what, when, what, where, and how?”. This stage allows us to fully comprehend 
the case and reasons that could be at play [17], [18]. It may be feasible to clearly identify the Case type: 
unintentional, dissatisfied employee, industrial espionage. 


2.2.1. Analyzing traffic for sniffing attempts and SMB password cracking attempts 

In eavesdropping techniques like sniffing and man-in-the-middle assaults, an attacker places oneself 
in between a client and a server to intercept messages. Attackers snoop through network traffic looking for 
private data [11]. When trying to crack a server message block (SMB) password, Wireshark's network traffic 
analysis would show many attempts to log in using various identities [19], [20]. A brute-force attack attempt 
on the SMB protocol is clearly suggested by the data intercepted by Wireshark, which also shows many 
usernames and the message "Error: STATUS LOGON FAILURE." 


2.2.2. Analyze traffic for MAC flooding attempt 

A port on the switch is connected to by the attacker while using the active sniffing technique known 
as media access control attack or MAC flooding. They fire out an onslaught of Ethernet transmissions with 
phoney MAC addresses. The attacker is attempting to access a content addressable memory (CAM) table that 
the switch keeps. As a result, another name for this attack is CAM flooding attack [21]. 

MAC flooded packets are regarded as faulty packets by Wireshark. Wireshark's source and 
destination addresses, as well as the packet's time to live, can help an investigator identify a MAC flooding 
effort (TTL). To accomplish this, go to the Analyze Expert Information tab and look at the corrupted 
packets [22]. 


2.2.3. Analyze traffic for TCP SYN flood DoS attack 

SYN flooding is a sort of DoS attack in which the attacker uses several fake IP addresses to deliver 
a huge volume of SYN packets to the target server continuously. The server transmits SYN-ACK packets in 
response to the SYN packets, but no ACK packet is received from the client to complete the three-way TCP 
handshake. Thus, the attacker may swiftly deplete the target server's CPU and RAM resources and make it 
unresponsive, which finally leads to DoS. 


2.2.4. Analyze traffic for file transfer protocol (FTP) password cracking attempts 

Password cracking is the process of acquiring or recovering passwords either by performing a 
password guessing effort using a file containing frequently used passwords, or by utilising trial and error. 
Dictionary assaults and brute force attacks are the names of these strategies, respectively. By counting the 
number of login attempts made from the same IP address or username, a detective can spot this kind of 
assault. 

The FTP is a widely used protocol for transferring files between computers utilizing the TCP/IP 
suite over the Internet. FTP is a client-server protocol that uses two channels of communication to connect a 
client and server. The management of the discussions is done by one, and the transmission of the actual 
material is done by the other. The server replies to a client's request for a download by providing the specific 
file requested. The user must enter their username and password to log into the FTP server before starting an 
FTP session. An FIP password assault involves the attacker attempting to discover any authorized user's 
password. 


2.2.5. Analyze traffic for ARP poisoning attempt 

A port on the switch is connected to by the attacker while using the active sniffing technique known 
as MAC flooding. They fire out an onslaught of Ethernet transmissions with phoney MAC addresses. The 
attacker is attempting to access a content addressable memory (CAM) table that the switch keeps. As a result, 
another name for this attack is CAM flooding attack. The warning message "multiple usage of IP address> 
detected" is displayed by Wireshark when duplicate IP addresses are found on the ARP protocol. After 
collecting the packets, you may use the filter arp.duplicate-addressdetected to look for signs of an ARP 
poisoning attack. 


2.2.6. Analyze traffic to detect malware activity 

The traces of a malware infection can be found in the ongoing network traffic patterns. Once 
installed on the target machine, malware often try to connect to their Command-and-Control (C2) server for 
data exfiltration or further instructions. It accomplishes this task by connecting to certain IP addresses or 
opening certain ports on the target system, which can be tracked by tools like Wireshark [23]. 


Collecting and analyzing network-based evidence (Ashwini K. Singh) 


4 0 ISSN: 2722-3221 


Run Wireshark on the computer that is thought to be infected with malware, then look through the 
current traffic patterns for any oddities. Once any suspicious or odd ports or IP addresses have been 
identified, you should search internet databases to see whether any malware is using those ports or if they are 
susceptible. As seen in the picture below, internet research into the suspicious port using speedguide.net's 
port database discovered that the njRAT malware frequently uses it as a default port. 


2.2.7. Analyze traffic for SYN-FIN flood DoS attack 

A connection is established by the SYN flag, and it is broken by the FIN flag. The attacker floods 
the network by setting both the SYN and FIN flags in a SYN/FIN DoS attempt. SYN and FIN are not often 
set at the same time in a TCP conversation. A SYN/FIN DDoS attack is evident if an administrator notices 
traffic that has both the SYN and FIN flags set. The server's firewall might get overloaded during a SYN/FIN 
DDoS attack by delivering the packets continuously. 


3. CONCLUSION 

The main objective of the following research was to collect and analyze network-based evidence. 
The aim has been achieved successfully. Collection of evidence is accomplished via various sniffer tools 
such as tcpdump, wireshark, and Security information and Event management system (SIEM), an automated 
system used by large enterprises to sort through system logs to generate possible attack report. Whereas for 
analysis of evidence is performed by analyzing the traffic for Sniffing Attempts, MAC Flooding Attempt, 
FTP Password Cracking Attempts, ARP Poisoning Attempt, Malware Activity and others. Evidence are not 
just collected in hard disks and secondary storages. There is a wealth of information available from network 
devices spread throughout the environment. With proper preparation, a CSIRT may be able to leverage the 
evidence provided by these devices through solutions such as a SIEM. Greatest challenges in network 
forensics is quantity of data generated by the network which counts around gigabytes of memory per day. 
This paper will help to create legal boundaries and present evidence in more analyzed way by preparing for 
the legal and tackle all the technical challenges of network evidence collection and Analyses. 
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